[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e

jonetsu jonetsu at teksavvy.com
Mon Oct 26 20:44:59 UTC 2015

In 1.0.1e the following is observed when using OpenSSL in FIPS mode:

 % OPENSSL_FIPS=1 openssl pkcs12 -export -in
 /tmp/ipsec.d/certs/ -inkey
 /tmp/ipsec.d/private/ -name -out
 /tmp/ipsec.d/ -password pass:""

 3067167952:error:060A60A3:digital envelope 
 routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
 3067167952:error:06074078:digital envelope

 routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
 3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor

 cipherinit error:p12_decr.c:83:

 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175:
 3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt 

In 'Re: PKCS12 keystore creation failing in fips mode' (May 29,
2013 9:15pm) the following is said:

  "That's a bug in 1.0.1 in that it tries to use an unapproved
  algorithm in FIPS mode.  Workaround: use the -descert option."

It is not possible for us to upgrade OpenSSL, but it would be
possible to apply a patch.  Does a patch exist that fixes this
problem and if so, where can it be found ?  I do not know how
development is organized for OpenSSL (bug tracker, git ?)

Thanks !

More information about the openssl-users mailing list